Lawsuit: Sony laid off security staff, unprepared for PS3 hacks

Sony has been hit with another class-action lawsuit over the loss of customer …

A new class-action lawsuit has been filed against Sony that claims the company has been negligent with online security, leading to multiple hostile attacks and the loss of customers' private data. The suit claims that personal information—including credit card numbers and expiration dates—were taken from Sony's servers, and cites a number of confidential witnesses who claimed Sony's security was inadequate. Perhaps most damning is the claim that Sony laid off employees working in security before the attacks.

"Sony was more concerned about their development server being hacked rather than some consumer's data being stolen," according to a confidential witness quoted in the complaint. "They want to protect themselves and not the people that use their servers."

While Sony has always stressed that the company has no reason to believe credit information was compromised, the complaint treats the theft of credit card data as fact. The suit claims that Sony "spent lavishly to secure its proprietary development server containing its own sensitive information," while not providing nearly the same level of security for the information of its customers.

In fact, the suit alleges that Sony was trying to cut costs in this area. The following paragraph from the complaint explains the claim:

Just two weeks before the April breach, Sony laid off a substantial percentage of its Sony Online Entertainment workforce, including a number of employees in the Network Operations Center, which, according to Confidential Witness 2, is the group that is responsible for preparing for and responding to security breaches, and who ostensibly has the skills to bring the Network's security technology up-to-date.

Another witness stated that PS3 systems are designed to be secured by a random number generator, but in practice each console has the same access number, making each system easier to hack. If you have one code, you have them all. The suit also quotes Sony deputy president Kazuo Hirai as saying that the company will now bring security practices "at least in line with industry standards or better," leading to the conclusion from that prior to the hack security was in fact below industry standards.

Other pieces of evidence from the suit are weaker, such as the claim that Sony's unwillingness to disclose the methods used to encrypt credit card data is evidence that the encryption is "either weak or easily broken."

The suit asks for "appropriate" restitution for class members, credit-monitoring services, and "exemplary damages" if its found that Sony acted in a reckless or negligent manner.

meh, I said this waaaaaaaaaaaaaaaaaaaay back when people were just riding the down with Sony wave and only now it's worth mentioning. It was reported so long ago that the laid off employees could have went the disgruntled route in the whole PSN thing.

The suit asks for "appropriate" restitution for class members, credit-monitoring services, and "exemplary damages" if its found that Sony acted in a reckless or negligent manner.

Yeah, credit monitoring services for those actually affected (which Sony has already announced they are giving out), and *maybe* 5 bucks per person, if they're lucky. Oh, and of course $5 million for each lawyer involved.

I'm no Sony fan, but class action lawsuits are only good for the lawyers.

Is Sony still saying the credit card information was secure? It's a fact they were not secure. I am exhibit A and my friend is exhibit B. The cards we happened to register with PSN just happened to be used to make illegal purchases around the same time. Bull. It's a fact; the card numbers were stolen from PSN.

If you had a CC registered with PSN, don't wait. Just cancel the card /now/ and get a new number.

meh, I said this waaaaaaaaaaaaaaaaaaaay back when people were just riding the down with Sony wave and only now it's worth mentioning. It was reported so long ago that the laid off employees could have went the disgruntled route in the whole PSN thing.

While Sony has always stressed that the company has no reason to believe credit information was compromised, the complaint treats the theft of credit card data as fact.

kamiller42 wrote:

Is Sony still saying the credit card information was secure? It's a fact they were not secure. I am exhibit A and my friend is exhibit B. The cards we happened to register with PSN just happened to be used to make illegal purchases around the same time. Bull. It's a fact; the card numbers were stolen from PSN.

If you had a CC registered with PSN, don't wait. Just cancel the card /now/ and get a new number.

I have multiple friends who also had false charges on their cards the week after the PSN went down. It only happened to the cards that were tied to their PSN account. If Sony is still claiming that credit cards tied to accounts are secure, they are even more delusional than I thought.

Maybe I missed this, but is a reason for the layoffs given besides cost cutting? Maybe they failed some sort of audit, did not correct it, and so were let go due to not doing their job? Granted the coincidence that Sony was totally destroyed weeks later is damning. Pure speculation on my part of course.

So did any one else have problems getting their 2 free games? I picked Dead Nation, started the d/l and then started playing Portal 2. Never got a notice that it finished the d/l and it isn't listed in my d/l list.

From what I read somewhere, the attack vector here was Apache in Sony's reserve datacenter which was left unpatched for 5 years. If this is the sort of work Sony's security team were doing, perhaps laying them off was the right decision.

Maybe I missed this, but is a reason for the layoffs given besides cost cutting? Maybe they failed some sort of audit, did not correct it, and so were let go due to not doing their job? Granted the coincidence that Sony was totally destroyed weeks later is damning. Pure speculation on my part of course.

Is Sony still saying the credit card information was secure? It's a fact they were not secure. I am exhibit A and my friend is exhibit B. The cards we happened to register with PSN just happened to be used to make illegal purchases around the same time. Bull. It's a fact; the card numbers were stolen from PSN.

If you had a CC registered with PSN, don't wait. Just cancel the card /now/ and get a new number.

As much as I hate to say it, anecdotal reports don't constitute fact. I'm not saying it wasn't the case, your data may have been compromised in that fashion, but we don't really know.

After all, out of 70 million customers...say 5 million had credit card info in there (pulling numbers out of my head). Even if they did run some numbers, its probably pretty unlikely that they ran more than a few hundred. What are the odds that you and your friend's numbers were both used out of those 5 million? Both scenarios require significant coincidence, and hardly can be construed as "fact".

Not trying to vouch for or against any party here, just pointing something out.

Another witness stated that PS3 systems are designed to be secured by a random number generator, but in practice each console has the same access number, making each system easier to hack.

This sounds like someone didn't actually understand the "epic fail" presentation by fail0verflow. Neither the method by which the hack is successful nor how said hack can be utilized. They probably just skimmed an article that dumbed it down and only picked up on some of the key phrases. It's not rocket surgery folks.

From what I read somewhere, the attack vector here was Apache in Sony's reserve datacenter which was left unpatched for 5 years. If this is the sort of work Sony's security team were doing, perhaps laying them off was the right decision.

IT Managers are hard pressed to want to patch these systems, especially if it means a service interruption to a company where this is an income avenue. These types of decisions are handed down from the top. If management wants zero downtime, there will be zero time for patching and updates. If management doesn't understand proper risk management and assessment they'll continue to operate under the assumption that if the servers work, there's no need to take them off line. If any place I've previously worked for is any indication of Sony, they were given warnings by staff and were ignored. When something like this goes down, it's the people at the very top who made the decisions that take full blame, the peons are just trying to make a living and do the best they can given often counter-productive orders.

Is Sony still saying the credit card information was secure? It's a fact they were not secure. I am exhibit A and my friend is exhibit B. The cards we happened to register with PSN just happened to be used to make illegal purchases around the same time. Bull. It's a fact; the card numbers were stolen from PSN.

If you had a CC registered with PSN, don't wait. Just cancel the card /now/ and get a new number.

As much as I hate to say it, anecdotal reports don't constitute fact. I'm not saying it wasn't the case, your data may have been compromised in that fashion, but we don't really know.

After all, out of 70 million customers...say 5 million had credit card info in there (pulling numbers out of my head). Even if they did run some numbers, its probably pretty unlikely that they ran more than a few hundred. What are the odds that you and your friend's numbers were both used out of those 5 million? Both scenarios require significant coincidence, and hardly can be construed as "fact".

Not trying to vouch for or against any party here, just pointing something out.

Is Sony still saying the credit card information was secure? It's a fact they were not secure. I am exhibit A and my friend is exhibit B. The cards we happened to register with PSN just happened to be used to make illegal purchases around the same time. Bull. It's a fact; the card numbers were stolen from PSN.

If you had a CC registered with PSN, don't wait. Just cancel the card /now/ and get a new number.

As much as I hate to say it, anecdotal reports don't constitute fact. I'm not saying it wasn't the case, your data may have been compromised in that fashion, but we don't really know.

After all, out of 70 million customers...say 5 million had credit card info in there (pulling numbers out of my head). Even if they did run some numbers, its probably pretty unlikely that they ran more than a few hundred. What are the odds that you and your friend's numbers were both used out of those 5 million? Both scenarios require significant coincidence, and hardly can be construed as "fact".

Not trying to vouch for or against any party here, just pointing something out.

They wouldn't need to run those numbers, there are places on the web to sell that sort of thing.

From what I read somewhere, the attack vector here was Apache in Sony's reserve datacenter which was left unpatched for 5 years. If this is the sort of work Sony's security team were doing, perhaps laying them off was the right decision.

So did any one else have problems getting their 2 free games? I picked Dead Nation, started the d/l and then started playing Portal 2. Never got a notice that it finished the d/l and it isn't listed in my d/l list.

The option's in a weird place - Services, or something like that, on the Network menu - to have another go at picking your games. As far as the rest of the PSN Store interface is concerned, there are no free games. It's handled by that one application.

Is Sony still saying the credit card information was secure? It's a fact they were not secure. I am exhibit A and my friend is exhibit B. The cards we happened to register with PSN just happened to be used to make illegal purchases around the same time. Bull. It's a fact; the card numbers were stolen from PSN.

If you had a CC registered with PSN, don't wait. Just cancel the card /now/ and get a new number.

Well, I and everyone I know didn't have our CC numbers used, so therefore they were secure. Ok, so maybe that is not a valid conclusion. But then, neither is yours.

On the one hand, what is the chance that your card and your friend's card were both used after the hack unless it was hack related? I don't know. But if you were both compromised, then why were none of my 6 friends that have PS3s?

So on the one hand you have you and your friend both getting compromised around the same time, arguing against coincidence. But on the other hand, it clearly is a coincidence, because out of 9 people (me, my 6 friends, and you two), you two were the only ones that were compromised, and you happen to know each other.

Now, this is the flimsiest of statistics, because obviously I chose people I know. And I spoke up because they weren't hacked. If some had been hacked, I might not have mentioned it. On the other hand, you and your friend getting hacked cannot be extrapolated to the entire PSN CC database, either.

Is Sony still saying the credit card information was secure? It's a fact they were not secure. I am exhibit A and my friend is exhibit B. The cards we happened to register with PSN just happened to be used to make illegal purchases around the same time. Bull. It's a fact; the card numbers were stolen from PSN.

If you had a CC registered with PSN, don't wait. Just cancel the card /now/ and get a new number.

As much as I hate to say it, anecdotal reports don't constitute fact. I'm not saying it wasn't the case, your data may have been compromised in that fashion, but we don't really know.

After all, out of 70 million customers...say 5 million had credit card info in there (pulling numbers out of my head). Even if they did run some numbers, its probably pretty unlikely that they ran more than a few hundred. What are the odds that you and your friend's numbers were both used out of those 5 million? Both scenarios require significant coincidence, and hardly can be construed as "fact".

Not trying to vouch for or against any party here, just pointing something out.

They wouldn't need to run those numbers, there are places on the web to sell that sort of thing.

True, but still the likelihood is that only a small subset of the numbers (if they even broke the encryption on them) would have been used. I believe adipose also worded my sentiments well.

I know a number of people who have had their credit card accounts closed and cards reissued due to suspicious transactions right after Sony lost customer data. There were multiple transactions for $30. The credit card companies do not disclose any details. They just close the account and if you don't catch it in time, all your bills end up being paid late.

Also, Sony's identify theft protection does not really monitor much. It does not monitor your credit reports or alert you if someone opened a line of credit in your name. You need to still be pulling your credit reports.

Other pieces of evidence from the suit are weaker, such as the claim that Sony's unwillingness to disclose the methods used to encrypt credit card data is evidence that the encryption is "either weak or easily broken."

That's not weak, that's one of the principles of cryptography: a system should be secure if you know everything but the secret key. If someone is coy about their system, then they're incompetent at best; or they know it's insecure, and they don't want you to find out.

Maybe I missed this, but is a reason for the layoffs given besides cost cutting? Maybe they failed some sort of audit, did not correct it, and so were let go due to not doing their job? Granted the coincidence that Sony was totally destroyed weeks later is damning. Pure speculation on my part of course.

In that case the would be FIRED.

There's a difference.

Sure there is, it all comes down to how HR wrote it up. If HR was sympathetic or something they could have just as easily labeled them laid off so that they could collect benefits. Besides, laid off to save money tend to set off a slightly fewer number of alarm bells than firing our security staff just before a breach. Makes it sound to people outside the company that it was a coincidence rather than someone knew something was up.

Just the fact that passwords were not hashed is damning enough IMO. I think they should be liable just based on that, its a basic security precaution and there is no excuse for missing it other than negligence.

I don't know if the layoffs at Sony Online Entertainment were that damning since I believe SOE was supposed to be closed and replaced with Sony Network Entertainment International. I just wonder if it was a coincidence that the layoffs happened around the same time as the network hack.... or maybe a disgruntled employee was in on the job.

The suit asks for "appropriate" restitution for class members, credit-monitoring services, and "exemplary damages" if its found that Sony acted in a reckless or negligent manner.

Yeah, credit monitoring services for those actually affected (which Sony has already announced they are giving out), and *maybe* 5 bucks per person, if they're lucky. Oh, and of course $5 million for each lawyer involved.

I'm no Sony fan, but class action lawsuits are only good for the lawyers.

The trick with CAL's is to see them as a truncheon of ever increasing size to beat misbehaving companies about the head with. I don't see it as me not getting much money, I see it as Sony losing a lot of money due to their incompetence.

Sure I wish that the individual class members would get more, but you bet your ass I'll join this class if possible in order to take another chip or two from these bastards.

I'm not trying to troll, but here's an idea. If people give their credit card number to the bike shop instead of Sony, and go for a bike ride, they not only wouldn't be hacked, but might lose a few pounds and some cholesterol.

Again, nothing against people playing a few games, but should it really be a big enough part of people's lives that we need to give credit card numbers - money - to Sony or anybody else on line?